Register.com suffers week-long DDoS attack on DNS servers

DNS Servers Used as Reflectors to Amplify DDoS Impact

January 6, 2001 - Register.com came under a severe Distributed Denial of Service (DDoS) attack that lasted for an entire week. This was the first major attack using Domain Name Service (DNS) servers as reflectors. To amplify the attack, the attacker sent spoofed requests to AOL.com's MX records causing a typical 25 byte request to become a 500 byte reply. This resulted in the DDoS attack being amplified 20 times. The cyber criminal also used many DNS servers from around the world. It was estimated that tens of thousands of DNS records were used.

To stop the DDoS, Register.com contacted almost all of the Internet Service Providers (ISPs) whose DNS servers were used for the attack amplification. The spoofed Internet Protocol (IP) address was 209.67.50.203. All affected DNS servers were advised to block user datagram protocol (UDP) packets from this IP address and target port 53. Register.com counted 60 to 90 Mb of traffic toward the targeted IP address. Additionally, DNS servers hit by the DDoS were asked to place an access control list (ACL) for the targeted IP address and port. After that action, the DDoS attack soon stopped.

About Secure64 Software Corporation
Secure64® is a software developer providing highly secure DNS and server applications with built-in denial-of-service protection features to help ensure your Internet-dependent business is always accessible. Based on the genuinely secure SourceT® microOS, Secure64 DNS remains highly available during network attacks and is immune to compromise from rootkits and malware.